The world’s largest cryptocurrency exchange by trading volume, Binance, faced an embarrassing situation on July 3, 2018, as attackers took advantage of an API hack to sell a single Syscoin (SYS) for 96 bitcoins (BTC).
Binance API Attacked
Over a billion SYS were moved from a wallet, rumoured to be owned by Binance, after enterprising attackers took advantage of the exchange’s Application Programming Interface (API), which determines the protocol for facilitating the trading of listed cryptocurrencies.
Syscoin confirmed the fallacy in a tweet –
We are investigating a possible issue on the Syscoin blockchain, nothing is confirmed but we have asked for exchanges to halt trading while we investigate.
— Syscoin (@syscoin) July 3, 2018
While fears of a possible blockchain hack emerged as the news picked traction, Syscoin’s fundamental protocol are built to avoid a 51 percent attack as the currency is “merged-mined” with Bitcoin.
Trading is suspended on Binance for security reasons and they confirmed an API hack via Twitter. At the time of writing, the exchange has reopened API key creations –
— Binance (@binance) July 4, 2018
However, Bitcoin developer Jameson Lopp believes the attack is not an API issue:
“The hackers could have exploited a vulnerability in the blockchain’s protocol. Breaking the monetary supply rules for a cryptocurrency can’t be accomplished via a 51% attack; this indicates that a flaw has been found and exploited at the protocol level.”
Lopp made references to a similar issue in 2010 when Bitcoin was exploited to create 186 billion BTC.
SYS-BTC Makes Outrageous Trades
After exploiting the API, the attackers sold a single SYS for 96 BTC or 623,000 at current exchange rates.
A look at the trading charts shows a large green spike after SYS went from a few cents to the mammoth valuation.
Despite the attack, speculative investors traded Syscoin on other exchanges and caused a pump in its price. The coin has surged by 85 percent and is the world’s 61st largest cryptocurrency at the time of press.
Media Rumors Blockchain Attack
After the development, several media outlets stated the Syscoin blockchain was compromised. However, this is untrue as the currency is “merged-mined” with Bitcoin and reaching a 51 percent hashrate on its protocol is not an instant task.
Simply put, the attackers got couple of API keys from different users, bought overpriced SYS and took created fake order books. In quick succession, and by presumably deploying liquidity bots, the attackers could reach the ultimate figure of 96 BTC/SYS.
There is no evidence of new coins created or a vulnerable blockchain. The billions of SYS moved were likely from a Binance wallet, which moved as the bots made trades.